Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(ci): improvements to gha workflows #7089

Open
wants to merge 10 commits into
base: master
Choose a base branch
from

Commits on Mar 12, 2024

  1. chore(ci): apply hardening to ci jobs

    - chore: apply 'Harden Runner' auditing to all ci tasks
    - chore: apply `persist-credentials: false` to checkout tasks
    - chore: publish dependency graph and add dependency review check
    - chore: add codeql scan job (temp)
    
    Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.1.1.
    - [Release notes](https://github.com/actions/checkout/releases)
    - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
    - [Commits](actions/checkout@v3.6.0...b4ffde6)
    
    Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 4.1.3.
    - [Release notes](https://github.com/actions/dependency-review-action/releases)
    - [Commits](actions/dependency-review-action@0efb1d1...9129d7d)
    
    ---
    updated-dependencies:
    - dependency-name: actions/checkout
      dependency-type: direct:production
      update-type: version-update:semver-major
    - dependency-name: actions/dependency-review-action
      dependency-type: direct:production
      update-type: version-update:semver-major
    ...
    
    Signed-off-by: StepSecurity Bot <[email protected]>
    Signed-off-by: Sam Gammon <[email protected]>
    Signed-off-by: dependabot[bot] <[email protected]>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    2 people authored and sgammon committed Mar 12, 2024
    Configuration menu
    Copy the full SHA
    095952a View commit details
    Browse the repository at this point in the history
  2. chore(ci): refactor into reusable workflows

    This change refactors the main CI workflow into two new workflows, `on.pr.yml` and
    `on.push.yml`, which each call into the exiting CI job as a reusable workflow.
    
    This has the nice benefit of putting all tests, checks, builds, etc., on one screen
    during development on GitHub, allows customization of the PR vs. push flow, and yet
    keeps behavior fully consistent between the two.
    
    - chore: move ci jobs to `workflow_call` trigger
    - chore: add entrypoint jobs for PR and Push events
    - chore: cleanup permissions and dispatch checks/tests
    
    Signed-off-by: Sam Gammon <[email protected]>
    sgammon committed Mar 12, 2024
    Configuration menu
    Copy the full SHA
    a5826e6 View commit details
    Browse the repository at this point in the history
  3. chore(ci): switch to enforced hardening mode

    This changeset switches the StepSecurity hardening action to enforced mode, where
    previously it was running in `audit` mode. Now, audit logs have been gathered and
    it is time to seal off the list of accessible network endpoints for a given job.
    
    - chore: gather and apply network endpoints for each job
    - chore: move to `block` mode for `egress-policy` in `step-security/harden-runner`
    
    Signed-off-by: Sam Gammon <[email protected]>
    sgammon committed Mar 12, 2024
    Configuration menu
    Copy the full SHA
    7faf45d View commit details
    Browse the repository at this point in the history
  4. feat(ci): slsa provenance support

    This changeset adds SLSA 3+ provenance support to the workflow. The main CI run has now been
    split into two: `ci.build.yml`, which only builds the library and is provenance-capable, and
    `ci.test.yml`, which is the previous CI logic.
    
    The regular build logic is applied only on push, and can be applied on PRs too, with publish
    of provenance material turned off. The test suite is invoked from PRs.
    
    The workflows have been split into build/test phases to avoid publishing provenance data and
    GitHub artifacts for build matrix outputs. JARs are uniform across OS targets, so there is no
    need to gather and publish for more than Ubuntu.
    
    - feat: add slsa support to build workflow
    - chore: split `test` into `build` and `test` workflows
    - chore: use new workflows (build/test) from push/pr triggers
    
    Signed-off-by: Sam Gammon <[email protected]>
    sgammon committed Mar 12, 2024
    Configuration menu
    Copy the full SHA
    9417e1c View commit details
    Browse the repository at this point in the history
  5. chore(ci): build with --strict-checksums

    Fails the build if any downloaded dependencies fail their checksum
    verification.
    
    - chore: add `--strict-checksums` flag to `mvnw` calls in ci
    sgammon committed Mar 12, 2024
    Configuration menu
    Copy the full SHA
    3403c87 View commit details
    Browse the repository at this point in the history
  6. chore(ci): build avoidance (javadoc, gpg)

    - chore: don't rebuild javadoc during tests in ci
    - chore: don't run with gpg enabled in ci
    
    Signed-off-by: Sam Gammon <[email protected]>
    sgammon committed Mar 12, 2024
    Configuration menu
    Copy the full SHA
    0d6f994 View commit details
    Browse the repository at this point in the history
  7. chore(build): parameterize deploy repositories

    Adds two build parameters
    - `publishing.repository.snapshots`: Snapshot repo to deploy to
    - `publishing.repository.releases`: Releases repo to deploy to
    
    Both default to their current values, Sonatype. This small inert
    change allows a fork to easily publish to a different repository
    without resorting to a code change.
    
    Signed-off-by: Sam Gammon <[email protected]>
    sgammon committed Mar 12, 2024
    Configuration menu
    Copy the full SHA
    9c03223 View commit details
    Browse the repository at this point in the history
  8. feat(build): sigstore publishing plugin

    This changeset adds the Maven Sigstore plugin for use during
    publishing to Sonatype and other public repositories.
    
    - chore: add sigstore plugin to build
    
    Signed-off-by: Sam Gammon <[email protected]>
    sgammon committed Mar 12, 2024
    Configuration menu
    Copy the full SHA
    5a3edfe View commit details
    Browse the repository at this point in the history
  9. chore(ci): document gha workflows

    Signed-off-by: Sam Gammon <[email protected]>
    sgammon committed Mar 12, 2024
    Configuration menu
    Copy the full SHA
    36538cc View commit details
    Browse the repository at this point in the history
  10. chore(ci): add spdx plugin

    Signed-off-by: Sam Gammon <[email protected]>
    sgammon committed Mar 12, 2024
    Configuration menu
    Copy the full SHA
    c5846e1 View commit details
    Browse the repository at this point in the history